Security for Process Automation with SIMATIC PCS 7
When process plants are networked with other parts of the company, they become directly or indirectly connected to the Internet and are therefore exposed to cyber threats. Siemens offers an industrial security solution that reliably defends against these potential threats and safeguards all aspects of production systems while taking into consideration the specific requirements of process equipment.
The latest version of the SIMATIC PCS 7 Process Control System (Version 8.0) provides application-oriented innovations, advanced performance features, and well-rounded functions. It is therefore the perfect basis for more economical process plants. In addition to its well-established features, such as its flexible function range, scalability, batch automation, and energy management, Siemens PCS 7 focuses specifically on industrial security. The current security concept of PCS 7 identifies a number or recommendations and measures.
As described in the defense-in-depth concept, the segmentation of production plants into multiple stand-alone security cells forms the basis for a modern security structure. The security cells can range in size from a small automation unit to a whole building. As completely independent units, they are fully protected by all required security mechanisms. Only permitted data communication to and from the SIMATIC PCS 7 process control system via defined access points is enabled. This is accomplished by an automation firewall (Microsoft Forefront TMG Appliance) or a Scalance S security module.
Virus protection and firewalls
Firewalls and virus scanners at all access points protect the individual computers and networks within the security cells from unauthorized access. This means that no other dedicated firewalls are required within the cells. This simplifies computer administration and increases system performance.
The SIMATIC PCS 7 security concept supports use of Microsoft Forefront Threat Management Gateway (MS Forefront TMG), Windows Firewall, and Scalance S security modules. These modules differ from office devices in that they are suitable for industrial use (IP30) and easy to configure.
With SIMATIC PCS 7 AddOn Automation Firewall, a secure web connection and secure remote access are available for a comprehensive security concept. It was developed specifically for use in a PCS 7/WinCC environment and can be configured as a front/back firewall, 3-homed firewall, or access point firewall. A variety of models for different network loads enables a wide range of use, from the update server or anti-virus server to OPC servers within a perimeter network.
In addition to firewalls, virus scanners are the most frequently used products aimed at improving plant security. SIMATIC PCS 7 and SIMATIC WinCC support the three most commonly used virus scanners for production and control systems:
Trendmicro Office Scan Client-Server Suite
Symantec Endpoint Protection
McAfee VirusScan Enterprise
Windows security patch management
Another aspect of the defense-in-depth strategy is the management of patches for the various computers of the process control system. Microsoft regularly provides Windows security patches to close security gaps that have been detected in Windows components. Our security laboratory checks MS patches that are relevant to SIMATIC PCS 7 on an ongoing basis, in order to ensure their compatibility with the current SIMATIC system versions. After conclusion of the compatibility tests, the test results are published on our Service & Support portal.
User and rights administration
Another key element of the security concept is consistent user and rights administration with strict access control. The minimality principle applies: an individual user or the individual application receives only the rights that it actually needs for the task at hand. Incorrect operator actions - intentional or accidental - can best be avoided in this way. SIMATIC PCS 7 and WinCC support central user administration with the SIMATIC Logon software package, which enables authorizations to be assigned for SIMATIC applications and plant areas. SIMATIC Logon uses Windows User Administration tools for functions such as automatic logoff and automatic expiration of passwords.
Time synchronization within a SIMATIC system helps to minimize timeouts and supports the synchronization, traceability, documentation, and archiving of all time-critical sequences. Time synchronization is often neglected but its importance should not be underestimated: If systems are not synchronized, there is potential risk that a domain client will be denied logon to its domain controller. This is caused by a security feature in Windows that prevents possibly unauthorized access to an existing session if a pre-assigned time difference between client and server is exceeded.
Network structuring and administration
To support a flexible network structure and efficient administration of SIMATIC systems, it is possible to use Windows Active Directory to implement DHCP servers, assign IP addresses, map plant segments to subnets, and centrally manage plant PCs and users.
Disaster recovery concepts are used to regain access to data, hardware, and software after a failure for the purpose of restoring operation. Since high priority is placed on data availability in process control systems, the ability to restore data quickly is critical.
In SIMATIC PCS 7, every plant PC is supplied with a complete image of the system software that can be used to restore the system partition at any time in the event of data loss. Siemens offers several programs for archiving process data, including StoragePlus, Central Archive Server (CAS), and Simatic IT Historian.
In addition, it is also possible to create an image while the production plant is running. More information about this is available in the Customer Support portal.
SIMATIC Security Laboratory
Industrial security is a central objective during a product's development phase and an integral component of system tests and requirement for a product's release. The SIMATIC Security Laboratory is working continuously on expanding and optimizing the SIMATIC security concept. The results of the security team's work flow directly into product and software development, thus ensuring continuous improvement in the security of our products.